Albert Gonzales

Albert Gonzales may be taking the majority of the heat (and rightly so), and the full force of U.S. Law Enforcement prosecution, but he is only the tip of the proverbial iceberg.

There is an entire Eastern European organized criminal operation that is further along in this food chain.

In case you haven’t heard, Gonzales and his co-conspirators are responsible for hacking into TJX, Heartland Payment Systems, Dave & Buster’s, and other retailers and payment processors, to steal credit & debit card account numbers.

As Kim Zetter reports on the Wired “Threat Level” Blog, there are multiple Eastern European connections to known organized criminal operations in Russia, The Ukraine, and Latvia (and elsewhere), some of which Trend Micro threat researchers have been tracking for several years now.

Besides these direct hacks of businesses and credit card processors, we have seen a very robust growth in malware which directly targets banking institutions, banking login credentials, malware that piggy-backs banking sessions, etc., ad nauseum, in an effort to steal money. Period.

In fact, the largest growth of malware that we have seen in 2009 has virtually all been geared towards stealing credentials of one sort or another.

This is organized cyber crime at it’s most base form, and it is actually getting worse.

There is a rather long, and twisted history here — especially involving Gonzales and other individual involved in similar crimes, but the real interesting connections lead back to Eastern Europe, especially Russia and The Ukraine.

While I’m not trying to make this incident any more shocking than it already is, the real issues are not being discussed in the mainstream media — luckily, Wired has dug into the background of these issues a bit, and so has Brian Krebs at The Washington Post.

Make no mistake, these issues are very complicated — all “good” criminals make sure that they are hard to track. But not all tracks are invisible.

Trend Micro researchers, including myself, have been tracking this specific criminal activity in Eastern Europe for several years now, and we intend to first, protect our customers, and secondly, try to work with law enforcement and others to identify the criminals.

Trend Micro researchers are hard on the trails of these malicious activities, and when we identify sites that are designed to victimize you, we ensure that they get blocked by the Trend Smart Protection Network.

Make sure you are protected.

Trend Micro researchers not only ensure that our customers are protected, but we also actively work work with International Law Enforcement to  identify the criminal actors behind these crimes.

Don’t be victimized.

“Fergie” a.k.a Paul Ferguson, Threat Research

Just today, we at the Content Security team received a large number of spam with a ZIP attachment that contains a backdoor. The said email informs the user that the product he/she has ordered/purchased online is already sent. It then asks the user to view the tracking document details by opening the attachment.

The attachment is not an Office file, it is instead an executable which Trend Micro detects as BKDR_REDOLAB.AL. This backdoor’s main duty appears to be to download TROJ_RENOS.BAV. Renos variants are known downloaders of rogue antivirus components/software. Our engineers are currently analyzing the capabilities of this Trojan.

Various Web-based infection vectors have been used in connection with rogue antivirus scams. In the last couple of months, rogue antivirus has been the final payload of blackhat SEO attacks (as in the case of malicious links that come up when users searched for news about Corazon Aquino’s death and the latest solar eclipse) and malicious Twitter posts. The last we have seen of malicious attachments that lead to rogue antivirus was in the Reconfigure Your Outlook spam.

The latest spam pattern in the Trend Micro Smart Protection Network already blocks this spam run. The malicious files are detected as BKDR_REDOLAB.AL and TROJ_RENOS.BAV. This entry will be updated for the full behavior of the RENOS Trojan.